Anonymous broadcast method, key exchange method, anonymous broadcast system, key exchange system, communication device, and program

ABSTRACT

A key exchange technique of performing a key exchange among N (≥2) parties, which can conceal metadata on communication, is provided. A key exchange method includes: a first key generation step in which a communication device Ui generates a first key; a first anonymous broadcast step in which the communication device Ui anonymously broadcasts the first key with a set R−{Ui} being designated for i∈{1, . . . , n} and the communication device Ui anonymously broadcasts the first key with φ being designated for i∈{n+1, . . . , N}; a second key generation step in which the communication device Ui generates a second key; a second anonymous broadcast step in which the communication device Ui anonymously broadcasts the second key with the set R−{Ui} being designated for i∈{1, . . . , n} and the communication device Ui anonymously broadcasts the second key with φ being designated for i∈{n+1, . . . , N}; and a session key generation step in which the communication device Ui generates a session key SK for i∈{1, . . . , n} if a predetermined condition is satisfied.

TECHNICAL FIELD

This invention relates to applications of information securitytechnologies and, in particular, relates to a key exchange techniquethat allows a plurality of users, who make up a group, to share a commonkey.

BACKGROUND ART

A key exchange technique that allows a plurality of users, who make up agroup, to share a common key has been proposed. An example of a systemthat implements such a key exchange technique is shown in FIG. 1. A keyexchange system 90 includes a key exchange server 700 and N (≥2)communication devices 800 ₁, . . . , 800 _(N). In this embodiment, thekey exchange server 700 and the communication devices 800 ₁, . . . , 800_(N) are each connected to a communication network 900 and eachcommunication device 800 i exchanges keys with another communicationdevice 800 _(j) via the key exchange server 700 (1≤i, j≤N; i and jdiffer from each other). However, there is a problem in that, due to akey exchange that is needed to ensure the confidentiality ofcommunication, metadata on communication, such as metadata on when andhow frequently which communication device communicates with whichcommunication device, is leaked to an outside attacker, which makes itdifficult to conceal the metadata completely. For example, in a keyexchange using a public key infrastructure (PKI), an attacker finds thata user who got a public key wants to communicate with a user who is anowner of the public key.

Therefore, a protocol in Non-patent Literature 1 has been proposed as akey exchange technique that can conceal metadata. The technique ofNon-patent Literature 1 implements a key exchange between two partiesusing probabilistic public key encryption in the communication channel.This makes it possible to conceal metadata (for instance, a telephonenumber, a destination, a source, communication time, a communicationpath, an attached file name, and the number of transmissions) oncommunication at the time of a key exchange between two parties.

PRIOR ART LITERATURE Non-Patent Literature

-   Non-patent Literature 1: David Lazar and Nickolai Zeldovich,    “Alpenhorn: Bootstrapping Secure Communication without Leaking    Metadata”, [online], [searched on Jul. 14, 2017], the Internet    <URL:https://vuvuzela.io/alpenhorn-extended.pdf>

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

However, in the technique of Non-patent Literature 1, users who canexchange a common key are limited to two parties. This makes itimpossible to implement a key exchange with metadata being concealed incommunication among N (≥3) parties.

An object of the present invention is accordingly to provide a keyexchange technique of performing a key exchange among N (≥2) parties,which can conceal metadata on communication.

Means to Solve the Problems

An aspect of the present invention is an anonymous broadcast method inwhich N is assumed to be an integer greater than or equal to 2, L isassumed to be an integer greater than or equal to 1, and the anonymousbroadcast method allows communication devices of N communication devicesU₁, . . . , U_(N), the communication devices included in a set R ofcommunication devices={U₁, . . . , U_(n)} (2≤n≤N), to share messages M₁,. . . , M_(n). ID_(i) (1≤i<N) is assumed to be an identifier of acommunication device U_(i), MPK_(j) (1≤j≤L) is assumed to be a masterpublic key of an anonymous ID-based broadcast encryption scheme,SMPK_(j) (1≤j≤L) is assumed to be a master public key of an ID-basedsignature scheme, dk_(i) ^((j)) (1<i<N, 1≤j≤L) is assumed to be adecryption key of the anonymous ID-based broadcast encryption scheme,and sk_(i) ^((j)) (1≤i≤N, 1≤j≤L) is assumed to be a signature key of theID-based signature scheme. The anonymous broadcast method includes: acipher text generation step in which, for i∈{1, . . . , n}, thecommunication device U_(i) generates a signatureω_(i)←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk_(i) ^((j)),(ID_(i), M_(i))) from a master public key Σ_(j=1, . . . , L)SMPK_(j), asignature key Σ_(j=1, . . . , L)sk_(i) ^((j)), and a message (ID_(i),M_(i)) which is a tuple of the identifier ID_(i) and a message M_(i) andgenerates cipher text C_(i)←(Σ_(j=1, . . . , L)MPK_(j), (ID_(i), ω_(i),M_(i)), (R−{U_(i)})) from a master public key Σ_(j=1, . . . , L)MPK_(j),plaintext (ID_(i), ω_(i), M_(i)) which is a tuple of the identifierID_(i), the signature ω_(i), and the message M_(i), and a set R−{U_(i)}and, for i∈{n+1, . . . , N}, the communication device U_(i) generatescipher text C_(i) which is a dummy message; a cipher text obtaining stepin which, for i∈{1, . . . , N}, the communication device U_(i) obtainscipher text {C₁, . . . , C_(N)} obtained by a shuffle performed by amix-net; and a message reconstruction step in which, for i∈{1, . . . ,N}, the communication device U_(i) generates a message (ID_(k), ω_(k),M_(k))←(Σ_(j=1, . . . , L)dk_(i) ^((j)), C_(k)) from a decryption keyΣ_(j=1, . . . , L)dk_(i) ^((j)) and cipher text C_(k) (1≤k<N) and, ifU_(i)∈R−{U_(k)}, generates a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), M_(k), ω_(k)) from themaster public key Σ_(j=1, . . . , L)SMPK_(j) and the message (ID_(k),ω_(k), M_(k)), and, if a signature ω_(k) is successfully verified,regards a message M_(k) as a message transmitted from a communicationdevice U_(k) with an identifier ID_(k) and the communication deviceU_(i)∈R obtains the messages M₁, . . . , M_(n).

An aspect of the present invention is a key exchange method in which Nis assumed to be an integer greater than or equal to 2, L is assumed tobe an integer greater than or equal to 1, and the key exchange methodallows communication devices of N communication devices U₁, . . . ,U_(N), the communication devices included in a set R of communicationdevices={U₁, . . . , U_(n)} (2≤n≤N), to share a session key SK. ID_(i)(1≤i≤N) is assumed to be an identifier of a communication device U_(i),MPK_(j) (1≤j≤L) is assumed to be a master public key of an anonymousID-based broadcast encryption scheme, SMPK_(j) (1≤j≤L) is assumed to bea master public key of an ID-based signature scheme, dk_(i) ^((j))(1≤i≤N, 1≤j≤L) is assumed to be a decryption key of the anonymousID-based broadcast encryption scheme, sk_(i) ^((j)) (1≤i≤N, 1≤j≤L) isassumed to be a signature key of the ID-based signature scheme, G isassumed to be a finite cyclic group of prime number order p withgenerators g and h, ∥ is assumed to be a concatenation operator, andsecret strings st_(i) and st′_(i) are recorded on a recording unit ofthe communication device U_(i) (1≤i≤N). The key exchange methodincludes: a first key generation step in which, for i∈{1, . . . , n},the communication device U_(i) calculates r_(i), k_(i), and s_(i) usingthe secret strings st_(i) and st′_(i) by a twisted pseudo-randomfunction and generates a first key (R_(i), c_(i)) by calculatingR_(i)=g^(r_i) and c_(i)=g^(k_i)h^(s_i) and, for i∈{n+1, . . . , N}, thecommunication device U_(i) randomly selects R_(i), C_(i)∈_(R)G andgenerates a first key (R_(i), c_(i)); a first anonymous broadcast stepin which, for i∈{1, . . . , n}, the communication device U_(i)anonymously broadcasts the first key (R_(i), c_(i)) with a set R−{U_(i)}being designated and, for i∈{n+1, . . . , N}, the communication deviceU_(i) anonymously broadcasts the first key (R_(i), c_(i)) with φ, whichmeans no recipient, being designated; a second key generation step inwhich, for i∈{2, . . . , n}, the communication device U_(i) calculates asession ID sid using c_(k) (1≤k≤n) by a target-collision resistant hashfunction, calculates K_(i) ^((l)) using (sid, R_(i−1) ^(r_i)) by apseudo-random function, calculates K_(i) ^((r)) using (sid, R_(i+1)^(r_i)) by a pseudo-random function, calculates T_(i) by an exclusive ORof K_(i) ^((l)) and K_(i) ^((r)), randomly selects T′_(i)∈_(R)Z_(p) ²,generates a signature σ_(i)←(Σ_(j=1, . . . , L)SMPK_(j),Σ_(j=1, . . . , L)sk_(i) ^((j)), (R, R_(i), c_(i), k_(i), s_(i), T_(i),T′_(i))) from a master public key Σ_(j=1, . . . , L)SMPK_(j), asignature key Σ_(j=1, . . . , L)sk_(i) ^((j)), and a message (R, R_(i),c_(i), k_(i), s_(i), T_(i), T′_(i)), and generates a second key (k_(i),s_(i), T_(i), T′_(i), σ_(i)), for i=1, a communication device U₁calculates a session ID sid from c_(k) (1≤k≤n) by a target-collisionresistant hash function, calculates K₁ ^((l)) using (sid, R_(n) ^(r_1))by a pseudo-random function, calculates K_(i) ^((r)) using (sid, R₂^(r_1)) by a pseudo-random function, calculates T₁ by an exclusive OR ofK₁ ^((l)) and K_(i) ^((r)), calculates T′ by an exclusive OR of K₁^((l)) and k₁∥s₁, randomly selects k″₁, s″₁∈_(R)Z_(p), generates asignature σ₁←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk₁ ^((j)),(R, R₁, c₁, k″₁, s″₁, T₁, T′)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk₁^((j)), and a message (R, R₁, c₁, k″₁, s′₁, T₁, T′), and generates asecond key (k″₁, s″₁, T₁, T′, σ₁), and, for i∈{n+1, . . . , N}, thecommunication device U_(i) randomly selects k_(i), s_(i)∈_(R)Z_(p),T_(i), T′_(i)∈_(R)Z_(p) ², and σ_(i)∈_(R)Σ (where Σ is a signaturespace) and generates a second key (k_(i), s_(i), T_(i), T′_(i), σ_(i));a second anonymous broadcast step in which, for i∈{2, . . . , n}, thecommunication device U_(i) anonymously broadcasts the second key (k_(i),s_(i), T_(i), T′_(i), σ_(i)) with the set R−{U_(i)} being designated,for i=1, the communication device U₁ anonymously broadcasts the secondkey (k″₁, s″₁, T₁, T′, σ₁) with a set R−{U₁} being designated, and, fori∈{n+1, . . . , N}, the communication device U_(i) anonymouslybroadcasts the second key (k_(i), s_(i), T_(i), T′_(i), σ_(i)) with theφ being designated; and a session key generation step in which, fori∈{2, . . . , n}, when the communication device U_(i) obtains the secondkey (k″₁, s″₁, T₁, T′, σ₁) and a second key (k_(k), s_(k), T_(k),T′_(k), σ_(k)) (2≤k≤n, k≠i), the communication device U_(i) generates averification result Ver_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), (R,R_(k), c_(k), k_(k), s_(k), T_(k), T′_(k)), σ_(k)) from the masterpublic key Σ_(j=1, . . . , L)SMPK_(j), a message (R, R_(k), c_(k),k_(k), s_(k), T_(k), T′_(k)), and a signature σ_(k), if the signatureσ_(k) is successfully verified, calculates K₁ ^((l)) by an exclusive ORof K_(i) ^((l)) and an exclusive OR of T_(j) (1≤j≤i−1), calculates k₁∥s₁by an exclusive OR of T′ and K_(i) ^((l)), and, if c_(k)=g^(k_k)h^(s_k)holds for k that satisfies 1≤k≤n, generates the session key SK using thesid and an exclusive OR of the k_(i) (1≤i≤n) by a pseudo-random functionand, for i=1, when the communication device U₁ obtains a second key(k_(k), s_(k), T_(k), T′_(k), σ_(k)) (2≤k≤n), the communication deviceU₁ generates a verification result Ver_(k)←(Σ_(j=1, . . . , L)SMPK_(j),ID_(k), (R, R_(k), c_(k), k_(k), s_(k), T_(k), T′_(k)), σ_(k)) from themaster public key Σ_(j=1, . . . , L)SMPK_(j), a message (R, R_(k),c_(k), k_(k), s_(k), T_(k), T′_(k)), and a signature σ_(k) and, if thesignature σ_(k) is successfully verified and c_(k)=g^(k_k)h^(s_k) holdsfor k that satisfies 1≤k≤n, generates the session key SK using the sidand an exclusive OR of the k_(i) (1≤i≤n) by a pseudo-random function.

Effects of the Invention

According to the present invention, a plurality of users can share acommon key with metadata being concealed. Furthermore, in the moregeneral sense, a plurality of users can share messages with metadatabeing concealed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an example of the configuration of a keyexchange system 90.

FIG. 2 is a diagram showing an example of the configuration of a keyexchange system 10.

FIG. 3 is a diagram showing an example of the configuration of a keygeneration server 100.

FIG. 4 is a diagram showing an example of the configuration of a releaseserver 200.

FIG. 5 is a diagram showing an example of the configuration of a mix-netserver 300.

FIG. 6 is a diagram showing an example of the configuration of acommunication device 400.

FIG. 7 is a diagram showing an example of the configuration of ananonymous broadcast unit 410.

FIG. 8 is a diagram showing an example of the operation of the keygeneration server 100 in system setup.

FIG. 9 is a diagram showing an example of the operation of the releaseserver 200 in system setup.

FIG. 10 is a diagram showing an example of the operation of thecommunication device 400 in system setup.

FIG. 11 is a diagram showing an example of the operation of thecommunication device 400 in broadcast.

FIG. 12 is a diagram showing an example of the operation of thecommunication device 400 in session key generation.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereinafter, an embodiment of the present invention will be described indetail. It is to be noted that component units having the same functionwill be identified with the same reference character and overlappingexplanations will be omitted.

<Notation System>

Prior to explanations of the embodiment, a notation system which is usedin this specification will be explained.

An underscore (_) represents a subscript. For example, x^(y_z) denotesthat y_(z) is a superscript attached to x and x_(y_z) denotes that y_(z)is a subscript attached to x.

Randomly selecting an element m from a given set Set is written asm∈_(R)Set.

When a given algorithm ALG outputs y for input x and a random number r,this output is written as y←ALG(x;r). It is to be noted that, if ALG isa deterministic algorithm, the random number r is a null.

κ is assumed to be a security parameter.

[Pseudo-Random Function (PRF)]

F={F_(κ):Dom_(κ)×FS_(κ)→Rng_(κ)}_(κ) is assumed to be a family offunctions with a domain of definition {Dom_(κ)}_(κ), a key space{FS_(κ)}_(κ), and a range {Rng_(κ)}_(κ). In this case, if it isimpossible for a discriminator D in arbitrary polynomial time todiscriminate between a function F_(κ) and a true random functionRF_(κ):Dom_(κ)→Rng_(κ), F={F_(κ)}_(κ) is referred to as a family ofpseudo-random functions. A specific example of a pseudo-random functionis described in, for example, Reference Non-patent Literature 1 below.

-   (Reference Non-patent Literature 1: O. Goldreich, “Modern    Cryptography, Probabilistic Proofs and Pseudorandomness”,    Springer-Verlag Tokyo, 2001)

[Target-Collision Resistant Hash Function]

H={H_(κ):Dom_(κ)→Rng_(κ)}_(κ) is assumed to be a family of hashfunctions with a domain of definition {Dom_(κ)}_(κ) and a range{Rng_(κ)}_(κ). In this case, if it is impossible for an attacker A, whois provided with x∈_(R)Dom_(κ), in arbitrary polynomial time to find x′(≠x) which makes H_(κ)(x)=H_(κ)(x′) hold, H={H_(κ)}_(κ) is referred toas a family of target-collision resistant hash functions. A specificexample of a target-collision resistant hash function is described in,for example, Reference Non-patent Literature 2 below.

-   (Reference Non-patent Literature 2: J. A. Buchmann, “Introduction to    Cryptography—Edition 3”, Maruzen Publishing Co., Ltd., 2007)

[Twisted Pseudo-Random Function (Twisted PRF)]

A function tPRF: {0, 1}^(κ)×FS_(κ)×FS_(κ)×{0, 1}^(κ)→Rng_(κ) is referredto as a twisted pseudo-random function and is defined as follows using apseudo-random function F_(κ).

tPRF(a,a′,b,b′):=F _(κ)(a,b)⊕F _(κ)(b′,a′)

Here, a, b′∈{0, 1}^(κ) and a′, b∈FS_(κ) hold. A specific example of atwisted pseudo-random function is described in, for example, ReferenceNon-patent Literature 3 below.

-   (Reference Non-patent Literature 3: Kazuki Yoneyama, “One-Round    Authenticated Key Exchange with Strong Forward Secrecy in the    Standard Model against Constrained Adversary”, IEICE Transactions,    vol. E96-A, no. 6, pp. 1124-1138, 2013.)

[Mix-Net]

A mix-net system includes M (M is an integer greater than or equal to 2)mix-net servers S₁, . . . , S_(M). The mix-net server S₁, which is thefirst server, receives n (n is an integer greater than or equal to 2)input messages to be processed in one round (that is, a series ofprocessing which is performed by S₁, . . . , S_(M)). Then, the mix-netservers shuffle the messages in the order of m=1, . . . , M. The mix-netserver S_(M), which is the last server, outputs N (N is an integergreater than or equal to 2) output messages. Even if an arbitraryoutside attacker colludes with an M−1 mix-net server, the attackercannot know the relationship between the input messages and the outputmessages. A specific example of a secure mix-net protocol is describedin, for example, Reference Non-patent Literature 4 below.

-   (Reference Non-patent Literature 4: Miyako Ohkubo, Masayuki Abe, “A    Length-Invariant Hybrid Mix”, ASIACRYPT'00, Proceedings of the 6th    International Conference on the Theory and Application of Cryptology    and Information Security: Advances in Cryptology, pp. 178-191,    2000.)

[Anonymous ID-Based Broadcast Encryption (AIBBE) Scheme]

An anonymous ID-based broadcast encryption scheme consists of thefollowing four algorithms.

A master key generation algorithm (1^(κ)) outputs a master secret keyMSK and a master public key MPK using the security parameter K as input.A key generation center KGC is provided with the master secret key MSK.Moreover, the master public key MPK is made public.

A decryption key generation algorithm (MSK, ID_(i)) outputs a decryptionkey dk_(i) using the master secret key MSK and an identifier ID_(i) of auser i (1≤i≤N) as input. The decryption key dk_(i) is securelytransmitted to the user i.

An encryption algorithm (MPK, M, R) outputs cipher text CT using themaster public key MPK, plaintext M, and a set R of recipients as input.Here, the set R of recipients is a set of identifiers of users who arethe recipients of the plaintext M.

A decryption algorithm (dk_(i), CT) outputs, if the identifier ID_(i) ofthe user i is included in the set R of recipients, the plaintext M usingthe decryption key dk_(i) and the cipher text CT as input.

A specific example of a secure AIBBE scheme is described in, forexample, Reference Non-patent Literature 5 below.

-   (Reference Non-patent Literature 5: Kai He, Jian Weng, Jia-Nan Liu,    Joseph K. Liu, Wei Liu, Robert H. Deng, “Anonymous Identity-Based    Broadcast Encryption with Chosen-Ciphertext Security”, ASIA CCS'16,    Proceedings of the 11th ACM on Asia Conference on Computer and    Communications Security, pp. 247-255, 2016.)

An any trust anonymous ID-based broadcast encryption (anytrust-AIBBE:AT-AIBBE) scheme is defined by using the anonymous ID-based broadcastencryption scheme. To distribute credibility, the AT-AIBBE schemeincludes a plurality of key generation centers (KGC₁, . . . , KGC_(L))(L is an integer greater than or equal to 1). A key generation centerKGC_(j) (1≤j≤L) makes a master public key MPK_(j) public. Moreover, thekey generation center KGC_(j) (1≤j≤L) generates a decryption key dk_(i)^((j)) for a user i (1≤i≤N). The user i (1≤i≤N) encrypts plaintext M andobtains cipher text CT←(Σ_(j=1, . . . , L)MPK_(j), M, R). Furthermore,the user i (1≤i≤N) decrypts the cipher text CT and obtains the plaintextM←(Σ_(j=1, . . . , L)dk_(i) ^((j)), CT) (only if an identifier ID_(i) ofthe user i is included in a set R of recipients). Even if an L−1 keygeneration center of the key generation center KGC_(j) (1≤j≤L) has amalicious intention, the L−1 key generation center cannot decrypt thecipher text CT.

[ID-Based Signature Scheme]

An ID-based signature scheme consists of the following four algorithms.

A master key generation algorithm (1^(κ)) outputs a master secret keySMSK and a master public key SMPK using the security parameter κ asinput. A key generation center KGC is provided with the master secretkey SMSK. Moreover, the master public key SMPK is made public.

A signature key generation algorithm (SMSK, ID_(i)) outputs a signaturekey sk_(i) using the master secret key SMSK and an identifier ID_(i) ofa user i (1≤i≤N) as input. The signature key sk_(i) is securelytransmitted to the user i.

A signature generation algorithm (SMPK, sk_(i), M) outputs a signature σusing the master public key SMPK, the signature key sk_(i), and amessage M as input.

A signature verifying algorithm (SMPK, ID_(i), M, σ) outputs averification result Ver (for example, 0 or 1 as a binary indicating theverification result) using the master public key SMPK, the identifierID_(i) of the user i, the message M, and the signature σ as input.

An any trust ID-based signature (anytrust-IBS: AT-IBS) scheme is definedby using the ID-based signature scheme. To distribute credibility, theAT-IBS scheme includes a plurality of key generation centers (KGC₁, . .. , KGC_(L)) (L is an integer greater than or equal to 1). A keygeneration center KGC_(j) (1≤j≤L) makes a master public key SMPK_(j)public. Moreover, the key generation center KGC_(j) (1≤j≤L) generates asignature key sk_(i) ^((j)) for a user i (1≤i≤N). The user i (1≤i≤N)obtains a signature σ←(Σ_(j=1, . . . , L)SMPK_(j),Σ_(j=1, . . . , L)sk_(i) ^((j)), M) as a signature for a message M.Furthermore, the user i (1≤i≤N) verifies the signature σ and obtains averification result Ver←(Σ_(j=1, . . . , L)SMPK_(j), ID_(i), M, σ). Evenif an L−1 key generation center of the key generation center KGC_(j)(1≤j≤L) has a malicious intention, the L−1 key generation center cannotforge the signature σ.

<System Configuration>

As illustrated in FIG. 2, a key exchange system 10 of the embodimentincludes L (≥1) key generation servers 100 ₁, . . . , 100 _(L), arelease server 200, M (≥2) mix-net servers 300 ₁, . . . , 300 _(M), andN (≥2) communication devices 400 ₁, . . . , 400 _(n). In thisembodiment, the key generation servers 100 ₁, . . . , 100 _(L), therelease server 200, the mix-net servers 300 ₁, . . . , 300 _(M), and thecommunication devices 400 ₁, . . . , 400 _(N) are each connected to acommunication network 900. The communication network 900 is a circuitswitching or packet-switching communication network that is configuredso that the servers or the devices, which need communication, of the keygeneration servers 100 ₁, . . . , 100 _(L), the release server 200, themix-net servers 300 ₁, . . . , 300 _(M), and the communication devices400 ₁, . . . , 400 _(N) can communicate with each other. Thecommunication network 900 does not necessarily have to be acommunication channel whose security is ensured, and the Internet, forexample, can be used as the communication network 900.

As illustrated in FIG. 3, the key generation server 100 includes amaster key generation unit 101, a decryption key and signature keygeneration unit 102, a transmitting and receiving unit 198, and arecording unit 199. As illustrated in FIG. 4, the release server 200includes a releasing unit 201, a transmitting and receiving unit 298,and a recording unit 299. As illustrated in FIG. 5, the mix-net server300 includes a shuffling unit 301, a transmitting and receiving unit398, and a recording unit 399. As illustrated in FIG. 6, thecommunication device 400 includes a secret string generation unit 401, afirst anonymous broadcast unit 410-1, a second anonymous broadcast unit410-2, a first key generation unit 421, a second key generation unit423, a session key generation unit 427, a transmitting and receivingunit 498, and a recording unit 499.

Here, the first anonymous broadcast unit 410-1 and the second anonymousbroadcast unit 410-2 each provide a function for sharing a messagebetween communication devices belonging to a designated set ofcommunication devices. That is, the first anonymous broadcast unit 410-1and the second anonymous broadcast unit 410-2 provide the same function.Therefore, the first anonymous broadcast unit 410-1 and the secondanonymous broadcast unit 410-2 will be explained as an anonymousbroadcast unit 410 in the following description. As illustrated in FIG.7, the anonymous broadcast unit 410 includes a cipher text generationunit 411, a cipher text obtaining unit 414, and a message reconstructionunit 415.

A key exchange method of the embodiment is implemented as a result ofthese key generation servers 100 ₁, . . . , 100 _(L), the release server200, the mix-net servers 300 ₁, . . . , 300 _(M), and the communicationdevices 400 ₁, . . . , 400 _(N) performing processing in stepsillustrated in FIGS. 8 to 12.

The key generation servers 100 ₁, . . . , 100 _(L), the release server200, the mix-net servers 300 ₁, 300 _(M), and the communication devices400 ₁, . . . , 400 _(N) are each a special device configured as a resultof a special program being read into a publicly known or dedicatedcomputer including, for example, a central processing unit (CPU), a mainstorage unit (random access memory: RAM), and so forth. Each deviceexecutes each processing under the control of the central processingunit, for example. The data input to each device and the data obtainedby each processing are stored in the main storage unit, for instance,and the data stored in the main storage unit is read into the centralprocessing unit when necessary and used for other processing. At leastpart of each processing unit of each device may be configured withhardware such as an integrated circuit.

Each of the recording units of the key generation servers 100 ₁, . . . ,100 _(L), the release server 200, the mix-net servers 300 ₁, . . . , 300_(M), and the communication devices 400 ₁, . . . , 400 _(N) can beconfigured with, for example, a main storage unit such as random accessmemory (RAM), an auxiliary storage unit configured with a hard disk, anoptical disk, or a semiconductor memory device such as flash memory, ormiddleware such as a relational database or a key-value store. When therecording unit stores secret information, it is desirable that therecording unit is a tamper-resistant storage unit (for example, a SIMcard).

In the following explanation, symbols are defined as follows. U_(i)(i∈{1, . . . , N}) is assumed to denote N communication devices 400 ₁, .. . , 400 _(N). Likewise, S_(m) (m∈{1, . . . , M}) is assumed to denoteM mix-net servers 300 ₁, . . . , 300 _(M).

Moreover, p is assumed to be a K-bit prime number and G is assumed to bea finite cyclic group of order p with generators g and h. TCR:{0,1}*←{0, 1}^(κ) is assumed to be a target-collision resistant hashfunction. tPRF:{0, 1}^(κ)×FS_(κ)×FS_(κ)×{0, 1}^(κ)→Z_(p) and tPRF′:{0,1}^(κ)×FS_(κ)×FS_(κ)×{0, 1}^(κ)→FS_(κ) are assumed to be twistedpseudo-random functions. F:{0, 1}^(κ)×G→Z_(p) ², F′:{0,1}^(κ)×Z_(p)→FS_(k), F″:{0, 1}^(κ)×FS_(κ)→{0, 1}^(κ), and F′″:{0,1}^(κ)×FS_(κ)→Z_(p) are assumed to be pseudo-random functions.

<System Setup>

A processing procedure of system setup in the key exchange method of theembodiment will be described with reference to FIGS. 8 to 10.

The operation of a key generation server 100 _(j) (1≤j≤L) will bedescribed with reference to FIG. 8. In Step S101, the master keygeneration unit 101 of the key generation server 100 _(j) (1≤j≤L)generates master secret keys (MSK_(j), SMSK_(j)) and master public keys(MPK_(j), SMPK_(j)) from the security parameter K by the master keygeneration algorithm of the anonymous ID-based broadcast encryptionscheme and the master key generation algorithm of the ID-based signaturescheme.

Next, in Step S102, the decryption key and signature key generation unit102 of the key generation server 100 _(j) (1≤j≤L) generates a decryptionkey dk₁ ^((j))←(MSK_(j), ID_(i)) from the master secret key MSK_(j) andan identifier ID_(i) of a communication device U_(i) (1≤i≤N) by thedecryption key generation algorithm of the anonymous ID-based broadcastencryption scheme and generates a signature key sk_(i) ^((j))←(SMSK_(j),ID_(i)) from the master secret key SMSK_(j) and the identifier ID_(i) ofthe communication device U_(i) (1≤i≤N) by the signature key generationalgorithm of the ID-based signature scheme. The key generation server100 _(j) (1≤j≤L) transmits the decryption key dk_(i) ^((j)) and thesignature key sk_(i) ^((j)) to the communication device U_(i) (1≤i≤N)using the transmitting and receiving unit 198. The communication deviceU_(i) records the received decryption key dk_(i) ^((j)) and signaturekey s_(k) ^((j)) (1≤j≤L) on the recording unit 499. Moreover, thecommunication device U_(i) obtains the master public keys (MPK_(j),SMPK_(j)) (1≤j≤L) and records the master public keys (MPK_(j), SMPK_(j))on the recording unit 499.

It is to be noted that the master secret keys (MSK_(j), SMSK_(j)) whichare generated by the key generation server 100 _(j) are periodicallyupdated to ensure the forward confidentiality of metadata. The period ofthis update can be set so that an update is performed once per day, forexample.

The operation of the release server 200 will be described with referenceto FIG. 9. In Step S201, the releasing unit 201 of the release server200 releases (p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″) so that thecommunication device U_(i) (1≤i≤N) can obtain (p, G, g, h, TCR, tPRF,tPRF′, F, F′, F″, F′″). The communication device U_(i) (1≤i≤N) obtains(p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″) from the release server200 as appropriate and records (p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″,F′″) on the recording unit 499.

The operation of the communication device U_(i) (1≤i≤N) will bedescribed with reference to FIG. 10. In Step S401, the secret stringgeneration unit 401 of the communication device U_(i) generates secretstrings (st_(i), st′_(i)), which are input to a twisted pseudo-randomfunction (where st_(i)∈_(R)FS_(κ) and st′_(i)∈_(R){0, 1}^(κ)). Thecommunication device U_(i) records the generated (st_(i), st′_(i)) onthe recording unit 499.

<Anonymous Broadcast>

A processing procedure of anonymous broadcast in the key exchange methodof the embodiment will be described with reference to FIG. 11. Thisprocessing procedure of anonymous broadcast is used in a processingprocedure of session key generation, which will be described later.

A set of communication devices is assumed to be R={U_(i_1), . . . ,U_(i_n)} (where {i₁, . . . , i_(n)}⊆{1, . . . , N}), and a communicationdevice U_(i_k) (1≤k≤n) performs anonymous broadcast so as to share amessage M_(i_k) with each communication device belonging to the set Rwith the message M_(i_k) being concealed. That is, each communicationdevice belonging to the set R can receive messages M_(i_1), . . . ,M_(i_n), but each communication device which does not belong to the setR cannot receive the messages M_(i_1), . . . , M_(i_n).

Hereinafter, for the sake of simplification, an explanation will begiven on the assumption that the set R={U_(i_1), . . . , U_(i_n)}={U₁, .. . , U_(n)}. This does not lead to loss of generality.

In anonymous broadcast in one round (one unit of processing), thefollowing three procedures are executed.

(1) Signature and Encryption

This procedure is executed separately in two cases: a case where thecommunication device U_(i) is included in the set R and a case where thecommunication device U_(i) is not included in the set R.

In Step S411, if U_(i)∈R, the cipher text generation unit 411 of thecommunication device U_(i) generates, from a master public keyΣ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk_(i)^((j)), and a message (ID_(i), M_(i)) (that is, a tuple of theidentifier ID_(i) of the communication device U_(i), which is a source,and an original message M_(i) to be shared), a signatureω_(i)←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk_(i) ^((j)),(ID_(i), M_(i))) for the message (ID_(i), M_(i)) by the signaturegeneration algorithm of the ID-based signature scheme. The cipher textgeneration unit 411 of the communication device U_(i) generates ciphertext C_(i)←(Σ_(j=1, . . . , L)MPK_(j), (ID_(i), ω_(i), M_(i)),(R−{U_(i)})) from a master public key Σ_(j=1, . . . , L)MPK_(j),plaintext (ID_(i), ω_(i), M_(i)) (that is, a tuple of the identifierID_(i) of the communication device U_(i), the signature ω_(i), and theoriginal message M_(i)) and a set R−{U_(i)} of recipients by theencryption algorithm of the anonymous ID-based broadcast encryptionscheme.

If U_(i)∈{U_(i), . . . , U_(N)}−R, the cipher text generation unit 411of the communication device U_(i) generates cipher text C_(i) which is adummy message. For example, the dummy message C_(i) is the cipher text Qobtained by encrypting an appropriate message M_(i) by the master publickey Σ_(j=1, . . . , L)MPK_(j) with φ, which means no recipient, beingdesignated. By doing so, decryption of the cipher text in Step S415,which will be described later, fails without exception.

(2) Mix-Net

The communication device U_(i)∈{U₁, . . . , U_(N)} transmits the ciphertext C_(i) generated in S411 to the mix-net server S₁ using thetransmitting and receiving unit 498. The mix-net servers S₁, . . . ,S_(M) sequentially shuffle the cipher text (C₁, . . . , C_(N)) receivedby the mix-net server S₁. The mix-net server S_(M) posts the shuffledcipher text (˜C_(i), . . . , ˜C_(N)) obtained by shuffling the ciphertext (C₁, . . . , C_(N)), which is an output message, on a releasebulletin board. Here, (C₁, C_(N)) and (˜C₁, . . . , ˜C_(N)) are equal asa set. That is, {˜C₁, . . . , ˜C_(N)}={C₁, . . . , C_(N)}. For instance,the mix-net server S_(M) only has to upload the shuffled cipher text(˜C₁, . . . , ˜C_(N)) to the release server 200 to post the shuffledcipher text (˜C₁, . . . , ˜C_(N)). This allows the communication deviceU_(i) (1≤i≤N) to obtain the shuffled cipher text (˜C₁, . . . , ˜C_(N)).

(3) Downloading and Check

In Step S414, the cipher text obtaining unit 414 of the communicationdevice U_(i)∈{U₁, . . . , U_(N)} obtains the cipher text {C₁, . . . ,C_(N)} by downloading the shuffled cipher text (˜C₁, . . . , ˜C_(N))from the bulletin board.

In Step S415, the message reconstruction unit 415 of the communicationdevice U_(i)∈{U₁, . . . , U_(N)} generates plaintext (ID_(k), ω_(k),M_(k))←(Σ_(j=1, . . . , L)dk_(i) ^((j)), C_(k)) from a decryption keyΣ_(j=1, . . . , L)dk_(i) ^((j)) and cipher text C_(k) (1≤k≤N) by thedecryption algorithm of the anonymous ID-based broadcast encryptionscheme (only if U_(i)∈R−{U_(k)}). If the cipher text C_(k) issuccessfully decrypted, the message reconstruction unit 415 of thecommunication device U_(i) generates a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), M_(k), ω_(k)) from themaster public key Σ_(j=1, . . . , L)SMPK_(j) and a message (ID_(k),ω_(k), M_(k)) by the signature verifying algorithm of the ID-basedsignature scheme and verifies a signature ω_(k). If the signature ω_(k)is successfully verified, the message reconstruction unit 415 of thecommunication device U_(i) regards a message M_(k) as a messagetransmitted from a communication device U_(k) with an identifier ID_(k).As a result, the communication device U_(i)∈R obtains messages M₁, . . ., M_(n) (including the message M_(i) which the communication deviceU_(i) itself has transmitted). On the other hand, the communicationdevice U_(i)∈{U₁, . . . , U_(n)}−R cannot obtain the messages M₁, . . ., M_(n).

As described above, the communication device U_(i) does not need to usea public key infrastructure because the communication device U_(i)encrypts the information on destinations (the set R−{U_(i)} ofrecipients) along with the original message by the encryption algorithmof the anonymous ID-based broadcast encryption scheme. This makes itpossible to conceal the information on destinations, which is one ofmetadata. Moreover, since each communication device receives the ciphertext via a mix-net and reconstructs the original message, it is possibleto conceal the information on a source (the sender U_(i)), which is oneof metadata. That is, a plurality of users can share messages withmetadata being concealed.

<Session Key Generation>

A processing procedure of session key generation in the key exchangemethod of the embodiment will be described with reference to FIG. 12.

A new session is started between the communication devices of the set Rof communication devices={U_(i_1), . . . , U_(i_n)} (where {i₁, . . . ,i_(n)}⊆{1, . . . , N}) and a session key is shared among thecommunication devices.

Hereinafter, for the sake of simplification, an explanation will begiven on the assumption that the set R={U_(i_1), . . . , U_(i_n)}={U₁, .. . , U_(n)} and a communication device U_(i_1)=U₁ in the same fashionas described above. This does not lead to loss of generality.

A communication device U₁ which desires to share the session key witheach communication device belonging to the set R with the session keybeing concealed is referred to as a representative communication device.Moreover, communication devices of a set R−{U₁} are referred to asgeneral communication devices.

(1) Round 1: First Broadcast

This procedure is executed separately in two cases: a case where thecommunication device U_(i) is included in the set R and a case where thecommunication device U_(i) is not included in the set R.

In Step S421, if U_(i)∈R, the first key generation unit 421 of thecommunication device U_(i) generates ˜r₄∈_(R){0, 1}^(κ),˜r′_(i)∈_(R)FS_(κ), k_(i)∈_(R){0, 1}^(κ), ˜k′_(i)∈_(R)FS_(k),˜s_(i)∈_(R){0, 1}^(κ), and ˜s′_(i)∈_(R)FS_(κ) and calculatesr_(i)=tPRF(˜r_(i), ˜r′_(i), st_(i), st′_(i)), k_(i)=tPRF(˜k_(i),˜k′_(i), st_(i), st′_(i)), and s_(i)=tPRF(˜s_(i), ˜s′_(i), st_(i),st′_(i)). Furthermore, the first key generation unit 421 of thecommunication device U_(i) calculates R_(i)=g^(r_i) andc_(i)=g^(k_i)h^(s_i) and generates a first key (R_(i), c_(i)).

If U_(i)∈{U₁, . . . , U_(N)}−R, the first key generation unit 421 of thecommunication device U_(i) randomly selects R_(i), C_(i)∈_(R)G andgenerates a first key (R_(i), c_(i)).

In Step S410-1, if U_(i)∈R, the first anonymous broadcast unit 410-1 ofthe communication device U_(i) anonymously broadcasts the first key(R_(i), c_(i)) with the set R−{U_(i)} being designated.

If U_(i)∈{U₁, . . . , U_(N)}−R, the first anonymous broadcast unit 410-1of the communication device U_(i) anonymously broadcasts the first key(R_(i), c_(i)) with φ, which means no recipient, being designated.

(2) Round 2: Second Broadcast

This procedure is executed separately in three cases: a case where thecommunication device U_(i) is included in the set R−{U₁}, a case wherethe communication device U_(i) is U₁, and a case where the communicationdevice U_(i) is not included in the set R.

In Step S423, if U_(i)∈R−{U₁}, when the communication device U_(i)receives a first key (R_(k), c_(k)) from each communication device U_(k)(1≤k≤n, k≠i) belonging to the set R−{U_(i)}, the second key generationunit 423 of the communication device U_(i) calculates sid=TCR(c₁, . . ., c_(n)). Here, sid is referred to as a session ID. Next, the second keygeneration unit 423 of the communication device U_(i) calculates K_(i)^((l)), K_(i) ^((r)), and T_(i) by the following formulae and randomlyselects T′_(i)∈_(R)Z_(p) ².

K _(i) ^((l)) =F(sid,R _(i−1) ^(r) ^(i) )

K _(i) ^((r)) =F(sid,R _(i=1) ^(r) ^(i) )

T _(i) =K _(i) ^((l)) ⊕K _(i) ^((r))

That is, T_(i) is the exclusive OR of K₁ ^((l)) and K_(i) ^((r)).

The second key generation unit 423 of the communication device U_(i)generates, from the master public key Σ_(j=1, . . . , L)SMPK_(j), thesignature key Σ_(j=1, . . . , L)sk_(i) ^((j)), and a message (R, R_(i),c_(i), k_(i), s_(i), T_(i), T′_(i)) (that is, a tuple of the set R ofrecipients, R_(i), c_(i), k_(i), and S_(i) generated in S421, and T_(i)and T′_(i) just generated), a signatureσ_(i)←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk_(i) ^((j)), (R,R_(i), c_(i), k_(i), s_(i), T_(i), T′_(i))) for the message (R, R_(i),c_(i), k_(i), s_(i), T_(i), T′_(i)) by the signature generationalgorithm of the ID-based signature scheme. The second key generationunit 423 of the communication device U_(i) generates (k_(i); s_(i),T_(i); T′_(i), σ_(i)) as a second key.

If U_(i)=U₁, when the communication device U₁ receives a first key(R_(k), c_(k)) from each communication device U_(k) (2≤k≤n) belonging tothe set R−{U₁}, the second key generation unit 423 of the communicationdevice U_(i) calculates sid=TCR(c₁; c_(n)). Next, the second keygeneration unit 423 of the communication device U_(i) calculates K₁^((l)), K₁ ^((r)), T₁, and T′ by the following formulae and randomlyselects k″₁, s″₁∈_(R)Z_(p).

K ₁ ^((l)) =F(sid,R _(n) ^(r) ¹ )

K ₁ ^((r)) =F(sid,R ₂ ^(r) ¹ )

T ₁ =K ₁ ^((l)) ⊕K ₁ ^((r))

T′=K ₁ ^((k))⊕(k ₁ ∥s ₁)

Here, ∥ is a concatenation operator.

The second key generation unit 423 of the communication device U_(i)generates, from the master public key Σ_(j=1, . . . , L)SMPK_(j), asignature key Σ_(j=1, . . . , L)sk₁ ^((j)), and a message (R, R₁, c₁,k″₁, s″₁, T₁; T′) (that is, a tuple of the set R of recipients, R₁ andc₁ generated in S421, and k″₁, s″₁, T₁, and T′ just generated), asignature σ₁←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk₁ ^((j)),(R, R₁, c₁, k″₁, s″₁, T₁, T′)) for the message (R, R₁, c₁, k″₁, s″₁, T₁,T′) by the signature generation algorithm of the ID-based signaturescheme. The second key generation unit 423 of the communication deviceU_(i) generates (k″₁, s″₁, T₁, T′, σ₁) as a second key.

If U_(i)∈{U₁, . . . , U_(N)}−R, the second key generation unit 423 ofthe communication device U_(i) randomly selects k_(i), s_(i)∈_(R)Z_(p),T_(i), T′_(i)∈_(R)Z_(p) ², and a signature σ_(i) which is an element ofa signature space Σ. The second key generation unit 423 of thecommunication device U_(i) generates (k_(i), s_(i), T_(i), T′_(i),σ_(i)) as a second key.

In Step S410-2, if U_(i)∈R−{U₁}, the second anonymous broadcast unit410-2 of the communication device U_(i) anonymously broadcasts thesecond key (k_(i), s_(i), T_(i), T′_(i), σ_(i)) with the set R−{U_(i)}being designated.

If U_(i)=U₁, the second anonymous broadcast unit 410-2 of thecommunication device U_(i) anonymously broadcasts the second key (k″₁,s″₁, T₁, T′, σ₁) with the set R−{U₁} being designated.

If U_(i)∈{U₁, . . . , U_(N)}−R, the second anonymous broadcast unit410-2 of the communication device U_(i) anonymously broadcasts thesecond key (k_(i), s_(i), T_(i), T′_(i), σ_(i)) with φ, which means norecipient, being designated.

(3) Session Key Generation

This procedure is executed separately in three cases: a case where thecommunication device U_(i) is included in the set R−{U₁}, a case wherethe communication device U_(i) is U₁, and a case where the communicationdevice U_(i) is not included in the set R.

It is to be noted that, if the communication device U_(i) is notincluded in the set R, the communication device U_(i) executes noprocessing. That is, the communication device U_(i) which is notincluded in the set R performs no processing.

In Step S427, if U_(i)∈R−{U₁}, when the communication device U_(i)receives the second key (k″₁, s″₁, T₁, T′, σ₁) and a second key (k_(k),s_(k), T_(k), T′_(k), σ_(k)) (2≤k≤n, k≠i) from each communication deviceU_(k) (1≤k≤n, k≠i) belonging to the set R−{U_(i)}, the session keygeneration unit 427 of the communication device U_(i) generates averification result Ver_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), (R,R_(k), c_(k), k_(k), s_(k), T_(k), T′_(k)), σ_(k)) from the masterpublic key Σ_(j=1, . . . , L)SMPK_(j), an identifier ID_(k), a message(R, R_(k), c_(k), k_(k), s_(k), T_(k), T′_(k)) (that is, a tuple of theset R of recipients, R_(k) and c_(k) received in S423, and k_(k), s_(k),T_(k), and T′_(k) received at the start of S427), and a signature σ_(k)received at the start of S427 by the signature verifying algorithm ofthe ID-based signature scheme and verifies the signature σ_(k). If thesignature σ_(k) is not successfully verified, the session key generationunit 427 of the communication device U_(i) stops the processing. Thesession key generation unit 427 of the communication device U_(i)calculates K₁ ^((l)) and k₁∥s₁ by the following formulae and checkswhether c_(k)=g^(k_k)h^(s_k) holds for k that satisfies 1≤k≤n.

K ₁ ^((l)) =K _(i) ^((l))⊕(⊕_(1≤j≤i−1) T _(j))

k ₁ ∥s ₁ =T′⊕K ₁ ^((l))

If c_(k)=g^(k_k)h^(s_k) does not hold for at least one of k thatsatisfies 1≤k≤n, the session key generation unit 427 of thecommunication device U_(i) stops the processing. The session keygeneration unit 427 of the communication device U_(i) calculates asession key SK by the following formula.

SK=F′(sid,⊕ _(1≤i≤n) k _(i))

If U_(i)=U₁, when the communication device U₁ receives a second key(k_(k), s_(k), T_(k), T′_(k), σ_(k)) from each communication deviceU_(k) (2≤k≤n) belonging to the set R−{U₁}, the session key generationunit 427 of the communication device U₁ generates a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), (R, R_(k), c_(k), k_(k),s_(k), T_(k), T′_(k)), σ_(k)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), an identifier ID_(k), a message (R, R_(k),c_(k), k_(k), s_(k), T_(k), T′_(k)) (that is, a tuple of the set R ofrecipients, R_(k) and c_(k) received in S423, and k_(k), s_(k), T_(k),and T′_(k) received at the start of S427), and a signature σ_(k)received at the start of S427 by the signature verifying algorithm ofthe ID-based signature scheme and verifies the signature σ_(k). If thesignature σ_(k) is not successfully verified, the session key generationunit 427 of the communication device U₁ stops the processing. Moreover,the session key generation unit 427 of the communication device U₁checks whether c_(k)=g^(k_k)h^(s_k) holds for k that satisfies 1≤k≤n. Ifc_(k)=g^(k_k)h^(s_k) does not hold for at least one of k that satisfies1≤k≤n, the session key generation unit 427 of the communication deviceU₁ stops the processing. The session key generation unit 427 of thecommunication device U₁ generates a session key SK by the followingformula.

SK=F′(sid,⊕ _(1≤i≤n) k _(i))

If U_(i)∈{U₁, . . . , U_(N)}−R, as described earlier, the session keygeneration unit 427 of the communication device U_(i) does not generatea session key SK.

With the above-described configuration, a key exchange technique of thisinvention makes it possible for a plurality of communication devices toshare a session key with metadata being concealed.

Anonymous broadcast establishes a concealed communication channel, bywhich messages can be exchanged at regular intervals, by using themix-net. By implementing a key exchange by the session key generationprocedure using this concealed communication channel, concealment ofmetadata is implemented. Furthermore, by performing communication usingthe shared session key, concealed communication is implemented. In thisway, leak of metadata from a key exchange protocol can be prevented,which makes it possible to conceal the metadata completely.

The use of this key exchange protocol provides a global company and acompany using satellite communications with a network such as The OnionRouter (Tor) that makes a connection path in TCP/IP anonymous, forexample, which makes it possible to ensure confidentiality includingmetadata in communication.

It goes without saying that this invention is not limited to the aboveembodiment but modifications may be made within the scope of thisinvention. Also, the various processes described in the embodiment maybe executed not only in a chronological sequence in accordance with theorder of their description but may be executed in parallel or separatelyaccording to the processing capability of the device executing theprocessing or any necessity.

[Program and Recording Medium]

When various types of processing functions in the devices described inthe above embodiment are implemented on a computer, the contents ofprocessing function to be contained in each device is written by aprogram. With this program executed on the computer, various types ofprocessing functions in the above-described devices are implemented onthe computer.

This program in which the contents of processing are written can berecorded in a computer-readable recording medium. The computer-readablerecording medium may be any medium such as a magnetic recording device,an optical disk, a magneto-optical recording medium, and a semiconductormemory.

Distribution of this program is implemented by sales, transfer, rental,and other transactions of a portable recording medium such as a DVD anda CD-ROM on which the program is recorded, for example. Furthermore,this program may be stored in a storage unit of a server computer andtransferred from the server computer to other computers via a network soas to be distributed.

A computer which executes such program first stores the program recordedin a portable recording medium or transferred from a server computeronce in a storage unit thereof, for example. When the processing isperformed, the computer reads out the program stored in the storage unitthereof and performs processing in accordance with the program thus readout. As another execution form of this program, the computer maydirectly read out the program from a portable recording medium andperform processing in accordance with the program. Furthermore, eachtime the program is transferred to the computer from the servercomputer, the computer may sequentially perform processing in accordancewith the received program. Alternatively, a configuration may be adoptedin which the transfer of a program to the computer from the servercomputer is not performed and the above-described processing is executedby so-called application service provider (ASP)-type service by whichthe processing functions are implemented only by an instruction forexecution thereof and result acquisition. It should be noted that aprogram in this form includes information which is provided forprocessing performed by electronic calculation equipment and which isequivalent to a program (such as data which is not a direct instructionto the computer but has a property specifying the processing performedby the computer).

In this form, the present device is configured with a predeterminedprogram executed on a computer. However, the present device may beconfigured with at least part of these processing contents realized in ahardware manner.

The foregoing description of the embodiment of the invention has beenpresented for the purpose of illustration and description. It is notintended to be exhaustive and to limit the invention to the precise formdisclosed. Modifications or variations are possible in light of theabove teaching. The embodiment was chosen and described to provide thebest illustration of the principles of the invention and its practicalapplication, and to enable one of ordinary skill in the art to utilizethe invention in various embodiments and with various modifications asare suited to the particular use contemplated. All such modificationsand variations are within the scope of the invention as determined bythe appended claims when interpreted in accordance with the breadth towhich they are fairly, legally, and equitably entitled.

What is claimed is:
 1. An anonymous broadcast method, wherein N isassumed to be an integer greater than or equal to 2 and L is assumed tobe an integer greater than or equal to 1, the anonymous broadcast methodallows communication devices of N communication devices U₁, . . . ,U_(N), the communication devices included in a set R of communicationdevices={U₁, . . . , U_(n)} (2≤n≤N), to share messages M₁, . . . ,M_(n), ID_(i) (1≤i≤N) is assumed to be an identifier of a communicationdevice U_(i), MPK_(j) (1≤j≤L) is assumed to be a master public key of ananonymous ID-based broadcast encryption scheme, SMPK_(j) (1≤j≤L) isassumed to be a master public key of an ID-based signature scheme, dk₁^((j)) (1≤i≤N, 1≤j≤L) is assumed to be a decryption key of the anonymousID-based broadcast encryption scheme, and sk_(i) ^((j)) (1≤i≤N, 1≤j≤L)is assumed to be a signature key of the ID-based signature scheme, andthe anonymous broadcast method includes a cipher text generation step inwhich for i∈{1, . . . , n}, the communication device U_(i) generates asignature ω_(i)←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk_(i)^((j)), (ID_(i), M_(i))) from a master public keyΣ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk_(i)^((j)), and a message (ID_(i), M_(i)) which is a tuple of the identifierID_(i) and a message M_(i) and generates cipher textC_(i)←(Σ_(j=1, . . . , L)MPK_(j), (ID_(i), ω_(i), M_(i)), (R−{U_(i)}))from a master public key Σ_(j=1, . . . , L)MPK_(j), plaintext (ID_(i),ω_(i), M_(i)) which is a tuple of the identifier ID_(i), the signatureω_(i), and the message M_(i), and a set R−{U_(i)}, and for i∈{n+1, . . ., N}, the communication device U_(i) generates cipher text C_(i) whichis a dummy message, a cipher text obtaining step in which, for i∈{1, . .. , N}, the communication device U_(i) obtains cipher text {C₁, . . . ,C_(N)} obtained by a shuffle performed by a mix-net, and a messagereconstruction step in which, for i∈{1, . . . , N}, the communicationdevice U_(i) generates a message (ID_(k), ω_(k),M_(k))←(Σ_(j=1, . . . , L)dk_(i) ^((j)), C_(k)) from a decryption keyΣ_(j=1, . . . , L)dk_(i) ^((j)) and cipher text C_(k) (1≤k≤N) and, ifU_(i)∈R−{U_(k)}, generates a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), M_(k), ω_(k)) from themaster public key Σ_(j=1, . . . , L)SMPK_(j) and the message (ID_(k),ω_(k), M_(k)), and, if a signature (Ok is successfully verified, regardsa message M_(k) as a message transmitted from a communication deviceU_(k) with an identifier ID_(k) and the communication device U_(i)∈Robtains the messages M₁, . . . , M_(n).
 2. A key exchange method,wherein N is assumed to be an integer greater than or equal to 2 and Lis assumed to be an integer greater than or equal to 1, the key exchangemethod allows communication devices of N communication devices U₁, . . ., U_(N), the communication devices included in a set R of communicationdevices={U₁, . . . , U_(n)} (2≤n≤N), to share a session key SK, ID_(i)(1≤i≤N) is assumed to be an identifier of a communication device U_(i),MPK_(j) (1≤j≤L) is assumed to be a master public key of an anonymousID-based broadcast encryption scheme, SMPK_(j) (1≤j≤L) is assumed to bea master public key of an ID-based signature scheme, dk_(i) ^((j))(1≤i≤N, 1≤j≤L) is assumed to be a decryption key of the anonymousID-based broadcast encryption scheme, sk_(i) ^((j)) (1≤i≤N, 1≤j≤L) isassumed to be a signature key of the ID-based signature scheme, G isassumed to be a finite cyclic group of prime number order p withgenerators g and h, and ∥ is assumed to be a concatenation operator,secret strings st_(i) and st′_(i) j are recorded on a recording unit ofthe communication device U_(i) (1≤i≤N), and the key exchange methodincludes a first key generation step in which for i∈{1, . . . , n}, thecommunication device U_(i) calculates r_(i), k_(i), and s_(i) using thesecret strings st_(i) and st′_(i) by a twisted pseudo-random functionand generates a first key (R_(i), c_(i)) by calculating R_(i)=g^(r_i)and c_(i)=g^(k_i)h^(s_i), and for i∈{n+1, . . . , N}, the communicationdevice U_(i) randomly selects R_(i), c_(i)∈_(R)G and generates a firstkey (R_(i), c_(i)), a first anonymous broadcast step in which for i∈{1,. . . , n}, the communication device U_(i) anonymously broadcasts thefirst key (R_(i), c_(i)) with a set R−{U_(i)} being designated, and fori∈(n+1, . . . , N), the communication device U_(i) anonymouslybroadcasts the first key (R_(i), c_(i)) with φ, which means norecipient, being designated, a second key generation step in which fori∈{2, . . . , n}, the communication device U_(i) calculates a session IDsid using c_(k) (1≤k≤n) by a target-collision resistant hash function,calculates K_(i) ^((l)) using (sid, R_(i−1) ^(r_i)) by a pseudo-randomfunction, calculates K_(i) ^((r)) using (sid, R_(i+1) ^(r_i)) by apseudo-random function, calculates T_(i) by an exclusive OR of K_(i)^((l)) and K_(i) ^((r)), randomly selects T′_(i)∈_(R)Z_(p) ², generatesa signature σ_(i)←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk_(i)^((j)), (R, R_(i), c₁, k_(i), s_(i), T_(i), T′_(i))) from a masterpublic key Σ_(j=1, . . . , L)SMPK_(j), a signature keyΣ_(j=1, . . . , L)sk_(i) ^((j)), and a message (R, R_(i), c_(i), k_(i),s_(i), T_(i), T′_(i)), and generates a second key (k_(i), s_(i), T_(i),T′_(i), σ_(i)), for i=1, a communication device U₁ calculates a sessionID sid from c_(k) (1≤k≤n) by a target-collision resistant hash function,calculates K_(i) ^((l)) using (sid, R_(n) ^(r_1)) by a pseudo-randomfunction, calculates K_(i) ^((r)) using (sid, R₂ ^(r_1)) by apseudo-random function, calculates T₁ by an exclusive OR of K₁ ^((l))and K₁ ^((r)), calculates T′ by an exclusive OR of K₁ ^((l)) and k₁∥s₁,randomly selects k″₁, s″₁∈_(R)Z_(p), generates a signatureσ₁←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk₁ ^((j)), (R, R_(i),c₁, k″₁, s″₁, T₁, T′)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk₁ ^((j))and a message (R, R₁, c₁, k″₁, s″₁, T_(i), T′), and generates a secondkey (k″₁, s″₁, T₁, T′, σ₁), and for i∈{n+1, . . . , N}, thecommunication device U_(i) randomly selects k_(i), s_(i)∈_(R)Z_(p),T_(i), T′_(i)∈_(R)Z_(p) ², and σ_(i)∈_(R)Σ (where Σ is a signaturespace) and generates a second key (k_(i), s_(i), T₁, T′_(i), σ_(i)), asecond anonymous broadcast step in which for i∈{2, . . . , n}, thecommunication device U_(i) anonymously broadcasts the second key (k_(i),s_(i), T_(i), T′_(i), σ₁) with the set R−{U_(i)} being designated, fori=1, the communication device U_(i) anonymously broadcasts the secondkey (k″₁, s″₁, T₁, T′, σ₁) with a set R−{U₁} being designated, and fori∈{n+1, . . . , N}, the communication device U_(i) anonymouslybroadcasts the second key (k_(i), s_(i), T_(i), T′_(i), σ₁) with the φbeing designated, and a session key generation step in which for i∈{2,n}, when the communication device U_(i) obtains the second key (k″₁,s″₁, T₁, T′, σ₁) and a second key (k_(k), s_(k), T_(k), T′_(k), σ_(k))(2≤k≤n, k≠i), the communication device U_(i) generates a verificationresult Ver_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), (R, R_(k), c_(k),k_(k), s_(k), T_(k), T′_(k)), σ_(k)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), a message (R, R_(k), c_(k), k_(k), s_(k),T_(k), T′_(k)), and a signature σ_(k), if the signature σ_(k) issuccessfully verified, calculates K₁ ^((l)) by an exclusive OR of K_(i)^((l)) and an exclusive OR of T_(j) (1≤j≤i−1), calculates k₁∥s₁ by anexclusive OR of T′ and K₁ ^((l)), and, if c_(k)=g^(k_k)h^(s_k) holds fork that satisfies 1≤k≤n, generates the session key SK using the sid andan exclusive OR of the k_(i) (1≤i≤n) by a pseudo-random function, andfor i=1, when the communication device U₁ obtains a second key (k_(k),s_(k), T_(k), T′_(k), σ_(k)) (2≤k≤n), the communication device U₁generates a verification result Ver_(k)←(Σ_(j=1, . . . , L)SMPK_(j),ID_(k), (R, R_(k), c_(k), k_(k), s_(k), T_(k), T′_(k)), σ_(k)) from themaster public key Σ_(j=1, . . . , L)SMPK_(j), a message (R, R_(k),c_(k), k_(k), s_(k), T_(k), T′_(k)), and a signature σ_(k) and, if thesignature σ_(k) is successfully verified and c_(k)=g^(k_k)h^(s_k) holdsfor k that satisfies 1≤k≤n, generates the session key SK using the sidand an exclusive OR of the k_(i) (1≤i≤n) by a pseudo-random function. 3.An anonymous broadcast system, wherein N is assumed to be an integergreater than or equal to 2 and L is assumed to be an integer greaterthan or equal to 1, the anonymous broadcast system allows communicationdevices of N communication devices U₁, . . . , U_(N), the communicationdevices included in a set R of communication devices={U₁, . . . , U_(n)}(2≤n≤N), to share messages M₁, . . . , M_(n), ID_(i) (1≤i≤N) is assumedto be an identifier of a communication device U_(i), MPK_(j) (1≤j≤L) isassumed to be a master public key of an anonymous ID-based broadcastencryption scheme, SMPK_(j) (1≤j≤L) is assumed to be a master public keyof an ID-based signature scheme, dk₁ ^((j)) (1≤i≤N, 1≤j≤L) is assumed tobe a decryption key of the anonymous ID-based broadcast encryptionscheme, and sk_(i) ^((j)) (1≤i≤N, 1≤j≤L) is assumed to be a signaturekey of the ID-based signature scheme, the communication device U_(i)(1≤i≤N) includes an anonymous broadcast unit, and the anonymousbroadcast unit includes a cipher text generation unit that generates,for i∈{1, . . . , n}, a signature ω_(i)←(Σ_(j=1, . . . , L)SMPK_(j),Σ_(j=1, . . . , L)sk_(i) ^((j)), (ID_(i), M_(i))) from a master publickey Σ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk_(i)^((j)), and a message (ID_(i), M_(i)) which is a tuple of the identifierID_(i) and a message M_(i) and generates cipher textC_(i)←(Σ_(j=1, . . . , L)MPK_(j), (ID_(i), ω_(i), M_(i)), (R−{U_(i)}))from a master public key Σ_(j=1, . . . , L)MPK_(j), plaintext (ID_(i),ω_(i), M_(i)) which is a tuple of the identifier ID_(i), the signatureσ_(i), and the message M_(i), and a set R−{U_(i)}, and generates, fori∈{n+1, . . . , N}, cipher text Q which is a dummy message, a ciphertext obtaining unit that obtains cipher text {C₁, . . . , C_(N)}obtainedby a shuffle performed by a mix-net, and a message reconstruction unitthat generates a message (ID_(k), ω_(k),M_(k))←(Σ_(j=1, . . . , L)dk_(i) ^((j)), C_(k)) from a decryption keyΣ_(j=1, . . . , L)dk₁ ^((j)) and cipher text C_(k) (1≤k≤N), generates,for i∈{1, . . . , n} (where i≠k), a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), M_(k), ω_(k)) from themaster public key Σ_(j=1, . . . , L)SMPK_(j) and the message (ID_(k),ω_(k), M_(k)) and, if a signature ω_(k) is successfully verified,regards a message M_(k) as a message transmitted from a communicationdevice U_(k) with an identifier ID_(k), and obtains, for i∈{1, . . . ,n}, the messages M₁, . . . , M_(n).
 4. A key exchange system, wherein Nis assumed to be an integer greater than or equal to 2 and L is assumedto be an integer greater than or equal to 1, the key exchange systemallows communication devices of N communication devices U₁, . . . ,U_(N), the communication devices included in a set R of communicationdevices={U₁, . . . , U_(n)} (2≤n≤N), to share a session key SK, ID_(i)(1≤i≤N) is assumed to be an identifier of a communication device U_(i),MPK_(j) (1≤j≤L) is assumed to be a master public key of an anonymousID-based broadcast encryption scheme, SMPK_(j) (1≤j≤L) is assumed to bea master public key of an ID-based signature scheme, dk_(i) ^((j))(1≤i≤N, 1≤j≤L) is assumed to be a decryption key of the anonymousID-based broadcast encryption scheme, sk_(i) ^((j)) (1≤i≤N, 1≤j≤L) isassumed to be a signature key of the ID-based signature scheme, G isassumed to be a finite cyclic group of prime number order p withgenerators g and h, and ∥ is assumed to be a concatenation operator, andthe communication device U_(i) (1≤i≤N) includes a recording unit onwhich secret strings st_(i) and st′_(i) are recorded, a first keygeneration unit that calculates, for i∈{1, . . . , n}, r_(i), k_(i), ands_(i) using the secret strings st_(i) and st′_(i) by a twistedpseudo-random function and generates a first key (R_(i), c_(i)) bycalculating R_(i)=g^(r_i) and c_(i)=g^(k_i)h^(s_i), and randomlyselects, for i∈{n+1, . . . , N}, R_(i), c_(i)∈_(R)G and generates afirst key (R_(i), c_(i)), a first anonymous broadcast unit thatanonymously broadcasts, for i∈{1, . . . , n}, the first key (R_(i),c_(i)) with a set R−{U_(i)} being designated, and anonymouslybroadcasts, for i∈{n+1, . . . , N}, the first key (R_(i), c_(i)) with φ,which means no recipient, being designated, a second key generation unitthat calculates, for i∈{2, . . . , n}, a session ID sid using c_(k)(1≤k≤n) by a target-collision resistant hash function, calculates K_(i)^((l)) using (sid, R_(i−1) ^(r_i)) by a pseudo-random function,calculates K_(i) ^((r)) using (sid, R_(i+1) ^(r_i)) by a pseudo-randomfunction, calculates T_(i) by an exclusive OR of K_(i) ^((l)) and K_(i)^((r)), randomly selects T′_(i)∈_(R)Z_(p) ², generates a signatureσ_(i)←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk_(i) ^((j)), (R,R_(i), c_(i), k_(i), s_(i), T_(i), T′_(i))) from a master public keyΣ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk_(i)^((j)), and a message (R, R_(i), c_(i), k_(i), S₁, T_(i), T′_(i)), andgenerates a second key (k_(i), s_(i), T_(i), T′_(i), σ_(i)), calculates,for i=1, a session ID sid from c_(k) (1≤k≤n) by a target-collisionresistant hash function, calculates K_(i) ^((l)) using (sid, R_(n)^(r_1)) by a pseudo-random function, calculates K_(i) ^((r)) using (sid,R₂ ^(r_1)) by a pseudo-random function, calculates T₁ by an exclusive ORof K₁ ^((l)) and K₁ ^((r)), calculates T′ by an exclusive OR of K₁^((l)) and k₁∥s₁, randomly selects k″₁, s″₁∈_(R)Z_(p), generates asignature σ₁←(Σ_(j=1, . . . , L)SMPK_(j), Σ_(j=1, . . . , L)sk₁ ^((j)),(R, R₁, c₁, k″₁, s″₁, T₁, T′)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), a signature key Σ_(j=1, . . . , L)sk₁^((j)), and a message (R, R₁, c₁, k″₁, s″₁, T₁, T′), and generates asecond key (k″₁, s″₁, T₁, T′, σ₁), and randomly selects, for i∈{n+1, . .. , N}, k_(i), s_(i)∈_(R)Z_(p), T_(i), T′_(i)∈_(R)Z_(p) ², andσ_(i)∈_(R)Σ (where Σ is a signature space) and generates a second key(k_(i), s_(i), T_(i), T′_(i), σ_(i)), a second anonymous broadcast unitthat anonymously broadcasts, for i∈{2, . . . , n}, the second key(k_(i), s_(i), T_(i), T′_(i), σ_(i)) with the set R−{U_(i)} beingdesignated, anonymously broadcasts, for i=1, the second key (k″₁, s″₁,T₁, T′, σ₁) with a set R−{U₁} being designated, and anonymouslybroadcasts, for i∈{n+1, . . . , N}, the second key (k_(i), s_(i), T_(i),T′_(i), σ_(i)) with the φ being designated, and a session key generationunit that generates, for i∈{2, . . . , n}, when obtaining the second key(k″₁, s″₁, T₁, T′, σ₁) and a second key (k_(k), s_(k), T_(k), T′_(k),σ_(k)) (2≤k≤n, k≠i), a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), (R, R_(k), c_(k), k_(k),s_(k), T_(k), T′_(k)), σ_(k)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), a message (R, R_(k), c_(k), k_(k), s_(k),T_(k), T′_(k)), and a signature σ_(k), if the signature σ_(k) issuccessfully verified, calculates K₁ ^((l)) by an exclusive OR of K_(i)^((l)) and an exclusive OR of T_(j) (1≤j≤i−1), calculates k₁∥s₁ by anexclusive OR of T′ and K₁ ^((l)), and, if c_(k)=g^(k_k)h^(s_k) holds fork that satisfies 1≤k≤n, generates the session key SK using the sid andan exclusive OR of the k_(i) (1≤i≤n) by a pseudo-random function, andgenerates, for i=1, when obtaining a second key (k_(k), s_(k), T_(k),T′_(k), σ_(k)) (2≤k≤n), a verification resultVer_(k)←(Σ_(j=1, . . . , L)SMPK_(j), ID_(k), (R, R_(k), c_(k), k_(k),s_(k), T_(k), T′_(k)), σ_(k)) from the master public keyΣ_(j=1, . . . , L)SMPK_(j), a message (R, R_(k), c_(k), k_(k), s_(k),T_(k), T′_(k)), and a signature σ_(k) and, if the signature σ_(k) issuccessfully verified and c_(k)=g^(k_k)h^(s_k) holds for k thatsatisfies 1≤k≤n, generates the session key SK using the sid and anexclusive OR of the k_(i) (1≤i≤n) by a pseudo-random function.
 5. Acommunication device with which the anonymous broadcast system accordingto claim 3 or the key exchange system according to claim 4 isconfigured.
 6. A program for making a computer function as acommunication device with which the anonymous broadcast system accordingto claim 3 or the key exchange system according to claim 4 isconfigured.